Study: Admins slow in patching Apache-SSL servers

[InfoSec News <isn () c4i org>]

http://www.nwfusion.com/news/2002/0820apssl.html

By Joris Evers
IDG News Service
08/20/02 

Many Web servers running Apache-SSL remain vulnerable to attacks,
although a June security alert prompted administrators to patch
standard Apache Web installations, according to a survey released
Tuesday.

About 75% of Web sites hosted on Apache-SSL servers are vulnerable, as
the software has not been upgraded to fix a serious flaw uncovered in
June, according to a survey by Web server information firm Netcraft,
of Bath, England.

Administrators seem to have given priority to patching regular Apache
installations, as about half of the 22 million Web sites that rely on
Apache are protected through an Apache software upgrade, Netcraft
said.

Apache-SSL is a combination of the Apache Web server and OpenSSL
security software meant to offer secure Web site connections.  
Apache-SSL is used for electronic commerce Web sites, for example.  
Both Apache and OpenSSL are open-source products developed by
volunteers.

The Apache Software Foundation, which supports the Apache open-source
project, in June advised administrators to upgrade their Apache
installations because of a flaw in the way the Web server parses
uploaded data, a so-called chunked encoding vulnerability.

The flaw affects all versions of Apache 1.2, versions of Apache 1.3 up
to 1.3.24 and versions of Apache 2 up to 2.0.36, according to a
statement from the Foundation released on June 20.

Apache is the most used Web server software in the world, with 66% of
active sites running Apache, according to Netcraft.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.